Networking / Beginners

Defining Access Controls

In addition to the Options and AllowOverride directives, the Directory containers in Listing pervious enclose Order, Allow, and Deny directives. These three directives permit you to define host-level access controls. One example taken from Listing previous will make this capability clear. Listing below shows a Directory container and an associated Alias directive.

Apache Access Controls
Alias /doc/ /usr/share/doc/
<Directory /usr/share/doc>
    order deny,allow
    deny from all
    allow from localhost .localdomain
    Options Indexes FollowSymLinks
</Directory>

This example shows an Alias directive that maps the document name "doc" to the directory /usr/ share/doc, and the Directory container for /usr/share/doc, which is a directory on Linux systems that contains a wide range of documentation. The access controls in the Directory container allow users who are logged on to the web server to access the directory through a browser using the document name "doc". Users who are not directly logged into the server are denied access. The page displayed to users who are granted access.

The most important thing to realize is that this index is presented only to users logged in to the localhost; that is, the web server. The specific access controls used in Listing 6.4 to limit access to users logged-on to the localhost are the following:

Order Defines the order in which the access control rules are evaluated. The order deny,allow command line tells httpd to apply the rule defined by the Deny directive first and then permit exceptions to that rule based on the rule defined by the Allow directive. The example blocks access from everyone with the deny rule, and then permit exceptions for the system that has the hostname localhost and for systems that are part of the localdomain domain with the allow rule. Deny from Identifies hosts that are not allowed to access web documents found in this directory. The host can be identified by a full or partial hostname or IP address. A domain name can be used to match all hosts in a domain. The keyword all blocks all hosts, which is what is done in Listing previous.

Allow from Identifies hosts that are permitted to access documents. The host can be identified by a full or partial hostname or IP address. A domain name can be used to match all hosts in a domain. The keyword all permits all hosts, which is what was done in most of the Directory containers in Listing previous. After all, you usually create web data to share it with the world. However, the container in Listing previous is different-it limits access to a specific host. The Allow from directive in Listing previous contains both a hostname and a domain name. The hostname localhost maps to the loopback address 127.0.0.1 assigned to the internal loopback interface lo0. No external host can access the loopback interface. Further, we saw that Red Hat creates a domain called localdomain that contains only one hostname: localhost. The Allow from directive in Listing 6.4 permits only the local host to access the /usr/share/doc directory.

Assume that you wanted to make the /usr/share/doc directory available to every host in the example.org domain. Edit the httpd.conf file, changing the Allow from directive in the /usr/ share/doc container to the following:

allow from localhost .example.org

This permits access through the loopback interface from the local host, and through the network from every host in the example.org domain.

The example in Listing previous controls access at the host level. This type of control is commonly used to segregate information for internal users from information for external customers. It is also possible to control file access at the user and group level.

[Previous] [Contents] [Next]